Data Protection Fee: the ICO to contact all businesses to remind them of their obligations

Last week, the Information Commissioner’s Office (“ICO”) announced that it has launched a campaign to remind registered companies in the UK of the legal responsibility to pay a data protection fee.

In the ICO’s update (which can be found here) it states that the move comes as part of its drive to make sure that those businesses that are required to pay the data protection fee do so.

What is probably the most surprising is that the ICO now intends to write to all businesses registered in the UK (presumably a very costly and laborious task!) to remind businesses of their potential obligation to pay the fee. Receiving such correspondence may cause alarm to some businesses, particularly smaller businesses or sole traders who have never had an obligation to pay such a fee or who are actually exempt from doing so.

What is the data protection fee?

The Data Protection (Charges and Information) Regulations 2018 came into force in May 2018 but with much less fanfare than the GDPR. It requires businesses who determine the purpose for which personal data is processed (data controllers) to pay a data protection fee to the ICO (unless they are covered by an exemption) and replaces the requirement under previous data protection legislation for businesses to notify (or register).

The level of data protection fee payable will depend on the size and turnover of your business and can range from £40 to £2,900. The Regulations implement 3 tiers of organisation and determine a fee for each tier:

Tier

Criteria

Annual fee

Tier 1

Maximum annual turnover of £632,000 or no more than 10 members of staff

£40

Tier 2

Maximum annual turnover of £36 million or no more than 250 members of staff

£60

Tier 3

None of the above

£2,900

There are exemptions to the requirement to pay this fee, but these are very limited. Generally, where you are a data controller for the purposes of the General Data Protection Regulation (GDPR), you will have to pay this fee.

To demonstrate compliance, the ICO publishes details of data controllers who pay the fee on its data protection register which is made available via its website. There are currently over 600,000 businesses who have registered to pay. Failure to pay a data protection fee where required is a breach of the law, with the ICO’s maximum penalty being a fine of £4,350. Between 1 July and 30 September 2019, the ICO issued 340 penalties to businesses who have failed to pay.

Does it apply to your business?

If you are unsure whether your business has an obligation to pay the data protection fee, the ICO has a self-assessment checker on its website which you should carry out (to access the self-assessment click here).

There are some narrow exemptions to the data protection fee requirement, which include any circumstances where you are processing personal data solely for certain purposes, including for staff administration, not-for-profit purposes, for advertising or marketing, for keeping accounts and recording transactions or for personal matters.

What should you do next?

Receiving an unsolicited letter from the ICO may be a cause of concern, particularly for smaller businesses where a breach of its obligations could result in a monetary penalty. Where you are unsure whether you should be paying a data protection fee, you should carry out a self-assessment on the ICO website. Given the potential level of the fine for smaller businesses, it may be the case that some businesses decide to pay the data protection fee regardless (without there being a requirement to). However, if you are unsure of your obligations (and to avoid paying unnecessary fees) you should seek clarity from the ICO.

If you require any advice on data protection or privacy, or are unsure whether your business practices are compliant with data protection law, you can contact our Data Protection Specialists on 0345 872 6666.